A situational awareness application may be able to analyze IP multicast packets sent by one or more devices across a network to monitor those devices. Since packets are multicast, the situational awareness application can simply subscribe to the multicast stream to monitor it. The payload of the multicast packets can be encrypted to prevent the situational awareness application from gleaning the contents of the multicast packets, but the source address of the multicast packets is visible to the application. The application may be able to perform traffic analysis on the source IP address to elicit information such as the number of devices sending multicast packets and potentially, the location of the devices if a map of the network topology is known. Thus, the source IP addresses of multicast packets may provide information that it is desirable to protect.